in the schema per type. 3. Scope operations down to what the authenticated viewer should actually be able to see. 4. GraphQL requests are hard to predict the cost of, thus setting constraints is a must. 5. Where possible, prevent giving clues to data that the user does not have access to. Recap: